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Abstract 

Photonic quantum key distribution is commonly implemented using interferometers, devices that inher- 
ently cause the addition of vacuum ancillas, thus enlarging the quantum space in use. This enlargement 
sometimes exposes the implemented protocol to new kinds of attacks that have not yet been analyzed. 

We consider several quantum key distribution implementations that use interferometers, and analyze the 
enlargement of the quantum space caused by the interferometers. While we prove that some interferometric 
implementations are robust (against simple attacks), we also show that several other implementations used 
in QKD experiments are totally insecure. 

This result is somewhat surprising since although we assume ideal devices and an underlying protocol 
which is proven secure (e.g., the Bennett-Brassard QKD), the realization is insecure. Our novel attack 
demonstrates the risks of using practical realizations without performing an extensive security analysis 
regarding the specific setup in use. 



* Part of this work done while at Technion, Israel. 



I. INTRODUCTION 



Quantum Key Distribution (QKD) is a cryptographic protocol for expanding a pre-shared secret 
between two users (Alice and Bob) by transferring quantum systems. Once an adversary (Eve) 
tries to acquire information about a transferred quantum system, she inevitably disturbs it in a 
way that can be detected by the legitimate users, and causes the abortion of the protocol; this 
principle is known as "Information Vs. Disturbance" [1~6]. 

The first and most popular QKD protocol is the BB84 protocol [7], in which Alice sends qubits 
to Bob using two conjugate bases. In the real world, qubits are implemented via various methods. 
A very common QKD implementation is the phase- encoded, time-multiplexed scheme: A pulse 
that contains a single photon is sent in a superposition of two possible times, so that the encoded 
bit is the phase difference between these superpositions as initially suggested by Bennett [8] and 
implemented by Townsend and others [9-11]. In order to produce and measure such superpositioned 
pulses, it is common to use an interferometer (see Section IV A). In addition to the basic (phase- 
encoded, time-multiplexed) setup, interferometers are also used in more complex QKD setups. For 
instance, an interferometer is used in the implementation of Differential Phase Shift QKD (DPS- 
QKD) [12-14], which generalizes the time-multiplexing scheme by encoding each bit as a phase 
shift of three superpositioned pulses (instead of two). Another variant which uses interferometer is 
the Plug & Play protocol used in many experiments [15, 16] and commercial products [17, 18], in 
which the signal is generated by Bob, sent over to Alice who modulates its phase, then sent back 
to be measured by Bob. 

In this paper we analyze interferometric based QKD schemes. Specifically, we discuss different 
ways to implement BB84 using interferometers. We also discuss implementations of more general 
schemes, such as the six-state QKD protocol. Once a protocol is implemented via photons and 
interferometers, the implementation differs from the ideal protocol (that uses abstract qubits) since 
the "ideal world" two-dimensional qubit space is replaced with a "real world" larger quantum space. 
This is due to two reasons: first, interferometers inherently introduce a higher-dimension space; 
and second, having pulses with zero photons, or more than one photon, implies a higher dimension 
as well. Here we focus on the first space enlargement. 

The usage of an enlarged quantum space requires a more careful security analysis of such 
implementations. Since Eve controls this large space (or parts of it), rather than the ideal qubit 
space, she can perform a much stronger attack than on the theoretical protocol. In this paper we 
design a novel type of attack, the reversed-space attack, based on considering this large space. 

As proving the security of a scheme is usually difficult, in this work we consider robustness, 
the ability to identify attacks on the protocol. Although robustness is a weaker property than 
security, showing robustness might be a first step towards a full security analysis. On the positive 
side, we show that many of the interferometric implementations are indeed robust (against a 
limited adversary), which might hint at the security of these implementations. On the other 
hand, we demonstrate a reversed-space attack on several BB84 implementations used in recent 
experiments [19-22] proving them to be insecure. Other realizations (e.g. [12, 23-25]), extend the 
above variants and use an even larger Hilbert space. The security of such extensions should be 
analyzed as well, potentially using the tools we present here. 

This work joins a line of research that examines the security of QKD implementations. Although 
BB84 has been proven secure against the most powerful attacks [6, 26-29], these proofs do not 
apply to realistic variants, and specific attacks were presented to exploit limitations of specific 
implementations (e.g., [30]). Several security analyses have been published for special cases [31, 32]: 
e.g., a specific protocol variant (DPS-QKD, Plug&Play, etc.), or a specific eavesdropping method. 
In addition, recent analyses have considered the security of protocols realized using imperfect 
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equipment, such as faulty sources and detectors [33-35]. Still, a general framework that considers 
such realistic QKD protocols, as well as attacks on such protocols, is still missing. 

A. The BB84 Protocol 

We mainly focus on implementations of the BB84 protocol [7]. In BB84 Alice uses two conjugate 
bases (say, z and x) to encode each of her bits as one of the states IO2), \lz), \0x) = '^il^z) + \^z)), 
or \lx) = :^(|0z) ~ \^z))- Let H"^ be the quantum space Alice holds (here Alice is ideal, therefore 
H^ = H2). 

The security of the protocol is based on limiting the error-rate measured by Bob, under the as- 
sumption that when no eavesdropping has occurred, Bob should perfectly retrieve the bits encoded 
by Alice. See more details in, e.g., [4-6, 27]. 

Note that in the theoretical (ideal) protocol, Alice and Bob use the same two-dimensional space 
i?2- However, in a non-ideal world, the spaces and H^, held by Alice and Bob respectively, 
might be larger. An important demonstration of such a case is given in [30], where a realistic 
photonic source is analyzed, such that the cases of zero photons and two photons are added, and 
as a result dimH^ = 6. Surprisingly, when interferometers are used, even in the case where 
dimH^ = 2 and all the devices are ideal, Bob measures six orthogonal states that are correlated 
to the pulse sent by Alice. If Bob actually measures these 6 states, his measured-space becomes 
much larger than H2, specifically, dimH^ = 6. 

B. Eavesdropping 

An eavesdropper can perform various kinds of attacks, however we focus on individual-particle 
attacks. The most simple attack Eve can compose is a basic measure-resend attack, in which Eve 
measures the qubit sent by Alice and obtains a classical outcome. Then, Eve sends Bob a different 
qubit, determined by the classical outcome she measured. A much stronger individual-particle 
attack can be done by attaching a separate auxiliary particle (the ancilla |0)^) to each one of the 
qubits sent by Alice, and performing a unitary transformation Uj^ on each qubit along with its 
ancilla, possibly entangling them. To be more accurate, on each qubit sent by Alice, Eve performs 
a unitary transformation 

\0)e\^)a ^^€ij\Eij)^\j)A , (1) 
j 

where i (and j) are vectors in the computation basis. Eve's ancillas (denoted as the subsystem 
E) are kept for a later measurement, performed after Eve learns the basis used for each qubit. 
For attacking an ideal BB84 scheme, it is sufficient to have a small-dimension ancilla, namely 
dimH^ < 4, due to Davies' theorem [36]. 

C. Robustness 

The criterion of robustness is often used in security analyses of QKD protocols (e.g., see robust- 
ness analysis of the SARG protocol [37], the BBM protocol [38] and the classical-Bob protocol [39]). 
We follow the robustness definition of [39] to analyze interferometric QKD implementations. 

Definition 1. A protocol is said to be completely robust if nonzero information acquired by 
Eve implies nonzero probability that the legitimate participants find errors on the bits tested by the 
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protocol. A protocol is said to be completely nonrobust if Eve can acquire the entire information 
transmitted in the protocol (namely, the entire information string), without inducing any errors on 
the bits tested by the protocol. 

Another closely- related definition is of partial robustness [39]: "A protocol is said to be partly 
robust if Eve can acquire some limited information on the information string without inducing 
any error on the bits tested by the protocol." Partly-robust protocols could still be secure, yet 
completely nonrobust protocols are automatically proven insecure. As an illustrative example [30], 
BB84 is fully robust if Alice and Bob use qubits, but it is not completely robust if instead of (ideal) 
qubits they send pulses, and those pulses sometimes contain more than one photon. 

Proving robustness of ideal protocols against any attack is easier than proving its security. For 
complicated protocols and for practical implementations it is common that robustness is proven 
first, and the security proof is left for future work. 

D. Model and Assumptions 

The focus of this paper is QKD implementations based on single photons as the quantum carriers. 
In order to describe a qubit using a single photon, one needs to define two possible orthogonal 
states. These orthogonal states (called modes) are commonly either an intrinsic property (e.g. the 
polarization of the photon, |^) and [o)), or a spatial separation (e.g., |to) and for different 
times to, ti). A very convenient way to describe photonic qubits is the Fock Space notations (See 
Appendix A). Although our analysis is done using Fock notations, we stick in this extended abstract 
to the standard notations, and refer the reader to the appendix for full details. 

For simplicity, we assume throughout the paper that Alice's operations are ideal, namely she 
always succeeds in generating a qubit in the exact desired state. Under this assumption, it is easier 
to see the novelty and importance of the attack that we suggest and analyze here. 

We restrict the adversary to sending only pulses with a single photon, a single-photon-limited 
Eve (In Appendix C, we extend the robustness proof to an adversary which is limited to sending 2 
photons). Nevertheless, the adversary is capable to receive, hold and manipulate quantum systems 
of higher dimensions. Moreover, all our robustness proofs are against individual-particle attacks. 

Finally, we discuss the way losses are treated and differentiated from errors, since it can some- 
times infiuence the robustness (and security) analysis, as we now explain. Security proofs (e.g., 
[6, 26, 27]) determine the maximal error rate (attributed to Eve's attack) that keeps Eve's knowl- 
edge negligible. If Bob considers each loss as a random bit obtained from Alice, he adds an error 
with probability half, and thus increases the error-rate. In reality, the loss-rate is too high (com- 
monly, 90% or even 99%) for considering each loss as half-an-error, since the resulting error-rate 
will exceed the threshold, and the protocol will always be aborted. Allowing losses without defining 
a loss-rate threshold might allow Eve to perform useful attacks that result in losses yet no errors, 
and thus cannot be detected [30, 40]. In such cases, one might be able to define a loss-rate threshold 
such that for a high loss-rate the protocol is completely nonrobust, while for a low loss-rate the 
protocol is partly robust, and might yield a secure final key. 

II. ATTACKS IN AN ENLARGED SPACE 

We now adapt the standard security analysis to the case where Alice is ideal and Bob measures 
a larger space (for instance. Bob uses interferometer for his measurements). As a first step we 
define the set of Eve's attacks on that large space that cannot be identified by the legitimate users, 
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that is, attacks that cause no errors. Later we consider the maximal amount of information Eve 
may obtain by performing such an attack. 



A. Formulating Eve's Attack 

Assume that Ahce is ideal, and denote the basis states of her system by \i)A with i G {0, 1}. Eve 
adds an ancilla in the state |0) ^ and performs her attack on the joint system A and E as described 
by Equation (1), using a unitary transformation lA^. Eve continues her attack by sending the 
subsystem A to Bob. 

However, Eve can use an enlarged system (e.g. by adding photons or modes). Eve has incentive 
to send states beyond the qubit of Alice if these influence Bob's measurment. A more general 
attack can be described as 

^E\^A^Y.'^,k\Ei,k)E\k)p (2) 
k 

where the subsystem P (rather than A) is sent over to Bob, and \ k) p are basis states of the system 
P. Obviously, P = A\s merely a special case, while in the more general case Eve might send Bob 
a system with different dimensions than A. The subsystem which remains in Eve's hands to 
be measured afterwards, can therefore differ from the subsystem E she initially had. Moreover, 
both can be of any dimension as long as the dimension of the entire system does not change, 
® = ® H^. Let a general qubit sent by Alice be \iIj)a = J2i Q^iK) '^ith J2i lo^iP = 1) 
then due to linearity, the attack on that qubit is 

^E(^ai\0)^\i)A) ='^aiei^k\Ei^k)E\k)p. (3) 



B. Formulating Bob's Measurement 

In order to perform a general measurement. Bob might manipulate the state sent by Alice. 
For instance. Bob might add an ancillary system B' , perform some unitary operation on the joint 
system and then perform a measurement of the joint system AB' . 

We model Bob's measurement as (i) adding the ancilla^ \^)b'i (ii) performing a unitary trans- 
formation Up on |'i/')A|0)_B'; and then (Hi) measuring the joint system in the computation basis. 
Note that Up changes according to the specific basis used by Bob. For the case of BB84, where 
Bob uses a separate setup for the x and the z basis, we get 

\i)A\o)p' E/5Mli>AB' ; \i)A\o)p' "-^ J2^lj\^)^B' . (4) 

j 3 

The /3's are determined by the specific setup used by Bob, and the states \j)AP' are Bob's basis 
states in the computation basis, that is, the set of states that span ® . 

As an illustrative example, assume that Bob adds no ancilla and his detectors are set to the 
z-basis. Therefore, for measuring the z basis Bob performs no transformation (i.e. Up^ = I, the 
identity matrix), while for measuring the x-basis he must perform the Hadamard transformation 

Up^ ~ ^ ~ ^ ^1 \^ ' ^° ^^^^ 1^^^ 1^^^ 1^^^ 1^^^' S™*^^ -^ob adds no ancilla, 

^ Without loss of generality, we assume that Bob uses the same ancilla \0)b> for all of his setups. This can always be 
justified, e.g., by using a sufficiently large ancilla, such that the different setups potentially use different subsystems 
of that ancilla. 
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H^^' = in this case. Using the notations of Equation (4), we get Ub^\^)a = |0)ab' thus 
j3QQ = 1 and /3q]^ = 0; Ub^\'^)a = thus /3f = 1 and /3f q = 0. We can write /3 as a matrix 

/3 = (/3i,j)i=o..i,j=o..i which gives /3f = /, and in a similar way = Ti. 

It should be noted that Bob's transformation IAb is actually defined on Bob's ancilla and the 
space entering his lab, (rather than H^). Eve has no incentive to send Bob states that can 
never affect his measurement and we can assume Eve sends exactly to Bob (any other system 
that cannot affect Bob is sent back to Eve and considered as part of her ancilla H^). In this case, 
Bob performs a measurement of = PB\ rather than of AB' . 

While a fully powerful Eve knows the protocol space of Alice and Bob, and their equipment 
limitations, Alice and Bob themselves might not be aware of the fact that the system A is replaced 
by the enlarged system P. The above formulas (4) immediately generalize to this case, simply by 
replacing the subscript A by the subscript P. The general final state \^eb) (held by Bob and 
Eve), can be written as 

I^eb) = {lE®UB)^^aiei^k\Ei^k)E\k)p\Q)B' = '^aiei^k/3k,j\Ei^k)E\j)B ■ (5) 

i.k i,k,j 

There is a great deal of importance regarding the way Bob interprets his measurement outcome. 
The states | j) b can be classified into sets according to Bob's interpretation: some of these states 
indicate "Alice has sent the bit 0" , others indicate "Alice has sent the bit 1" . Let us denote these 
two sets by Jq and Ji, respectively. An error occurs when Alice sends a bit b, while Bob measures 
a state in Ji-b- Generally, for a specific transmission, we define by Jerror the set of all states that 
imply an error, so in the example above Jerror = Ji-b- 

C. Attacks that Cause No Error 

When considering real implementations, there may be some outcomes that are not interpreted 
as a valid outcome. These outcomes can be divided into two groups: 

1. outcomes interpreted by Bob as a loss — a failed transmission that is not considered as an 
error, because they naturally occur even when no eavesdropper interferes (e.g. a vacuum 
state). These outcomes are denoted as the set Jioss- 

2. invalid-erroneous outcomes Jinvaiid — outcomes that can never occur if the quantum system 
sent by Alice reaches Bob intact. It is Bob's choice of interpretation that determines whether 
a specific outcome is considered a loss or an invalid result. Generally speaking, when an 
invalid outcome increases the error rate, it is in Jmvaiid- 

In order to analyze the robustness of QKD protocols, we consider attacks that cause no errors 
or invalid outcomes at Bob's end. Formally, for any \j') in Jerror or Jinvalidi we require the overlap 
ifl^BE) to be zero. Using Equation (5) we see that Eve's attack causes no errors if and only if 

(i'l Tli,k,j (^i^i,kPk,j\Ei^k) E\j) B = 0, for any / € Jerror U Jinvaiid- 

Corollary 1. For a given QKD implementation, Eve's attack Ue causes no errors if and only if 
for every state \iP)a = Yli'^iH)A sent by Alice, 

'^aiei^kPk,j\Ei^k)E = , (6) 

i,k 

for any j £ Jerror U Jinvaiid (corresponding to the specific state \iP)a)- 
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Given a specific QKD implementation, the error rate is exclusively determined by the attack 
Ue performed by Eve. 

Definition 2. Let Uzero the set of attacks on a given protocol, that cause no errors (in all the 
possible setups of the protocol). 

A scheme is robust if Uzero only consists of attacks that give Eve no information about the 
key. For BB84 with bases x, Uzero is determined by the intersection of the zero-error attacks for 
z-basis and x-basis. 

III. THE POWER OF REVERSED-SPACE ATTACKS 

One can apply the reversed transformation {Ub)"^ = on each possible |j)_B, in order to 
identify the space that influences Bob's outcome. We call an attack, designed according to this 
observation, a reversed-space attack. The term "reversed" here is borrowed from the "time reversal 
symmetry" of quantum theory. The symmetry of quantum mechanics to the exchange of the 
prepared (preselected) state and the measured (postselected) state was suggested by [41, 42] (and 
was already used in quantum cryptography as well, see the time-reversed EPR scheme [43]). To 
clarify this point, we stress that in Eve's attack described above, our assumption is that Eve sends 
Bob a quantum system with space , instead of H^. Eve has no incentive in sending systems 
of higher-dimension, thus she can limit to be the space given by the reverse method (i.e., the 
space obtained by considering {Ub)~^). As a by product, this simplifies any security analysis, since 
there is no use in analyzing spaces of larger dimension than the reversed-space. 

In the following sections we describe different BB84 implementations that use interferometers, 
and analyze their robustness via the reverse-space method, against an adversary that is limited to 
sending pulses with up to one photon. 

IV. ANALYSIS OF PHASE-ENCODED INTERFEROMETRIC BB84 

In this section we analyze a phase-encoded time-multiplexed QKD implementation [9] , and show 
it is robust against a limited adversary. 

A. Interferometric Implementation of the a;?;-BB84 Scheme 

Consider a BB84 implementation which uses two time-separated modes (pulses). For every 
transmission, the first mode arrives to Bob's lab at time tg, and the second mode at t[ = tQ + AT. 
We denote these pulses as |to) and \t[) respectively. The users use the x and y bases, so that an 
ideal Alice sends one of the following four states, 

\0.)a = (|to) + |t'i)) /V2 \Oy)A ^ iK) + i\t[)) /V2 

\1.)a ^ iK) - \t[)) /V2 \ly)A ^ i\t'o) - /V2 . 

Bob measures the qubit using a Mach-Zender interferometer, which is a device composed of 
two beam splitters (BS) with one short path, one long path, and a controlled phase shifter P^, 
that is placed at the long arm of the interferometer, (see Appendix B for a full description of 
an interferometer, and analysis of its operation on single-photon modes). The length difference 
between the two arms is determined by AT: when the first pulse travels through the long arm, and 
the second through the short arm, they arrive together at the output. Due to that exact timing 
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of the pulses, each incoming qubit is transformed into a superposition of 6 possible modes: 3 time 
modes {to, ti, t2) at the straight (s) output arm of the interferometer, and 3 modes at the down 
(d) output arm; see Figure 1. 
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FIG. 1. A Mach-Zender interferometer, (a) An input qubit. The time-difference between the two incoming 
modes is identical to the difference between the two arms; (b) a vacuum state entering the second (blocked) 
arm; (c) beam-splitters; (d) phase shifter P^; (e) six output modes. 



For the sake of simplicity we denote these modes as so,si,S2,do,di,d2, and since we only 
consider pulses with zero or one photons, we can use the states, |so), \do), etc?, along with the 
vacuum state \V) (a pulse that contains no photons). 

The intereferometer's operation (See Equation (B2)) is defined by \V) i— )• \V)b and 

|to) ^ {\so)b - e'1si)B + i\do)B + ie'^\di)B)/2 

\t'i) ^ {\si)b - e''^\s2)B + i\di)B + ie'^\d2)B)/2. 

Bob sets the phase (j) according to the basis he wishes to measure: (p = for the x-basis and 

(p = tt/2 for the y-basis. When Alice's and Bob's bases match, the input qubit evolves in the 
interferometer as 

\Ox)a ^ {\so)b -\s2)B + i\do)B + 2i\di)B + i\d2)B) /VS 

\Ix)a ^ {\so)b - 2 \si)b + \s2)b + i\do)B -i\d2)B)/V8 

\Oy)A '^^^ {\sq)b + \s2) b + i\dQ) b - 2 \di) b - i\d2) b) / 

|ly>A '^^^ {\sq) B - 2i\si) B - \S2) B + i\dQ) B + i\d2) b) / 

Bob opens his detectors at time ti at both the arms. A click at the "down" direction (i.e., measuring 
the state \di)) means the bit-value 0, while a click at the "straight" direction (|si)) means 1. The 
other modes are commonly considered as a loss (namely, they are not measured) since they do 
not reveal the value of the original qubit. The above implementation is commonly used for QKD 
experiments [44-46], and products [17, 18]. We denote this implementation scheme by x?/-BB84. 

Since measuring the other modes (|so), etc.) does not reveal the bit Alice has sent, measuring 
these modes can only help Bob in noticing some eavesdropping attacks. On the other hand, 
considering these modes complicates the security analysis since Eve might send superpositions of 
the time-modes t'2 = t'^ + AT, and t'_i = — AT, which will not result in \V). 

Using tlie Fock state notations and the description of interferometers in Appendix B, a basis state in Bob's space 
is given given by In^Q , n^j , n^a , , ndj , ridj)^, and we define |100000)^ = |so); |010000)^ = |si); |001000)^ = |s2); 
lOOOlOO)^ = \do); lOOOOlOf = \di); lOOOOOlf = Idz), and tlie vacuum state |000000f = \V). 
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B. Robustness Proof for a Single-Photon-Limited Eve 



We now prove the xy-BB84 implementation to be completely robust against a single-photon 
limited Eve. We begin by defining the set Uzero of attacks that induce no errors, according to 
Definition 2. Since we limit the parties to single-photon pulses, we only need to consider the sub- 
space that contains the vacuum state and the single-photon states, i.e., the states \V), \so), |si), 
1*2); \do), \di) and 1^2) defined above. The analysis must consider the space Bob actually measures, 
, and the states (sent by Alice or Eve) that, after the interferometer, have a non-zero overlap 
with the modes measured by Bob. This idea is what differentiates our analysis from previous 
methods of analyzing (theoretical) protocols. 

In xy-BB84, Bob only measures time-bin ti, thus we are interested in the subspace spanned 
by {\V), \si), \di)}. By applying ZY^ on these three states, we get the states sent by Eve^ that 
influence Bob. Following Section II we refer to such an attack as the reversed- space attack on this 
specific scheme. 

Theorem 2. Assuming a single-photon-limited adversary, the xy-BB84 scheme is completely robust 

Proof. We describe the measurement Bob performs, for both bases, as Jq = {Mi)}; Ji = {ki)}; 
•^loss = I — Jq — Ji = {|^)}; and Jinvaiid = {}) where the set / represents the computation basis of 
the space measured by Bob, and the minus stands for set difference. Eve might send the photon 
at any desired time-bin, or not send a photon at all. However, the photon will affect Bob only in 
the case it is sent at time-bins t^ or t'^. Thus, Eve has no advantage in attacking a larger space 
than the one used by Alice, and is spanned by |*o)yl) Note that if we ignore the 

vacuum state, which can not be sent by an ideal Alice, then = H^. 

We use Corollary 1 to define attacks that cause no errors at all. For this specific implementation, 
Uzero consists of the attacks that satisfy Equation (6) in four cases, matching the four BB84 states 
sent by Alice. Bob's setup (i.e. the constants /3fc,j) is determined by the basis he measures; we 
denote the /3's imposed by the x-setup {(j) = 0) as (3^^, and the ones imposed by the y-setup 
{(j) = 7r/2) by and write ^5 in a matrix form. It is immediate from the operation of the 
interferometer Equation (7) thaf^ 



= 1 



/ -1 « \ 



1 -1 « i 
1 -1 i i 
V 1 i / 



= 1 

A;={t'_j,tQ,t'j^,t2}, 2 
j={so,si,S2,do4l,d2} 



/ -i -1 \ 



1 -i i -1 
1 -i i -I 
V 1 i J 
(9) 

Consider the case where Alice sends |0x), namely, ao = oi = An error occurs if Bob 
measures Jerror = {I'Si)}, and by Equation (6), the attack causes no error if 



^^(eo,o|-E'o,o)E + ^ifl\Eifl)E) + ^^(eo,il-^o,i)£; + '^i,i\Ei^i) e) = 0, 



(10) 



and when Alice sends |la;), Jg] 



{Ml)} which implies 



^^(eo,o|-So,o)s - ei,o|-E'i,o)£;) + ^^'^^"'il^O'i^-^ ~ ^i,i\Ei,i)e) = 0. 



(11) 



Eve might have only partial control of these states, since they originate not only from the channel between Alice 
to Bob, but from the ancilla added by Bob as well. 
"* While in this section we care only about j = {si, di}, in Section VI below we discuss j = {V, so, si, S2, do, di, d2}. 
Thus we describe here /3's elements for this entire set (omitting the vacuum state, since in any possible setup, 
\V)^\V)). 
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The same is repeated for the y-basis and we get the solution 



and 



^i,o\Eifi)E — eo,i|-E^o,i)£; — . 



(12) 



It follows that Eve's attack must be of the form 



\0)e\Oz)a 

\0)e\Wa 




p\^)e\0)p + Vi'^-P?\i^o)E\V)p 




p\^)E\l)p + y/{l-py\lPl)E\V)p 



(13) 



where p is the probability that Eve sends a qubit to Bob rather than blocking it. For p < 1 this 
is the blocking attack and for p = 1 it is the identity attack where Eve transmits the qubit to Bob 
intact. For these attacks, either Eve gets full information about Alice's state, or Bob does. In both 
cases, Eve has no information about the bits used for the key, and the specific implementation is 



In Appedix C we generalize this result and prove robustness against a more realistic, yet limited, 
adversary restricted to pulses with at most two photons. Unfortunately, our method is not scalable 
to the general case. 

V. TIME-BIN ENCODED STATES "NATIVE" IMPLEMENTATION 
A. "Native" implementation for x and z bases 

Let us now extend the analysis to implementations that use the z-basis. This might be required, 
for instance, in order to implement the 6-state QKD protocol [47], in which Alice sends a qubit using 
the X, y and z bases at random; or in order to perform "QKD with classical Bob" [39, 48, 49] in 
which one party is restricted to use only the (classical) z-basis, and either performs measurements 
in that basis or returns the qubits (unchanged) to the other party. 

We now describe a setup that Bob can employ in order to measure the z-basis, e.g. the states 
IO2) = Itg) and |1^) = \t'i). The implementation is rather straightforward — Bob measures the 
pulses after the appropriate delay Tshort, so that the measurement of \0z) {\^z)) is done by opening 
a detector at time to (^i); see Figure 2. 

The respective transformation Ub^ is the identity operator 



where the other modes are not measured by Bob, and are not relevant for this scheme. We use the 
mode instead of the more intuitive |so) in order to be consistent with the modes representing 
the bit values and 1 when the x (or y) setup is used^. 



completely robust according to Definition 1. 



□ 





(14) 



Bob's Lab 



t'l 





FIG. 2. Bob's laboratory setup for the z basis. 



^ This can be justified by placing and removing a mirror, such that the pulse entering the lab at time t'l is refiected 
to the d arm. 
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We denote the BB84 protocol that uses x and z bases by alternating the setups (adding and 
removing beam-splitters as needed), as native- j;z-BB84. In the same manner, a six-state protocol 
implemented by alternating the above setups (e.g., [50]) is denoted as native-six-state scheme. 

B. Robustness of the native-a;z-BB84 protocol against a single-photon-limited Eve 

It is rather straightforward to extend the proof given in Section IV B to the native- a;2-BB84 
scheme. Define, for the z-basis setup, Jq = Ji = {l^i)} and Jioss = I — Jo — Ji- The 



immediately from Equation (6) that any attack that causes no errors must satisfy eo,i = ei,o = . 
The set Uzcro includes attacks that satisfy the above requirement as well as the x-basis requirement. 
As before, the requirements yield the solution (13), and the native-xz-BB84 scheme is robust under 
our assumptions. 

C. Robustness of the native-six-state protocol for a single-photon-limited Eve 

It is easy to verify that the same result holds when using the y-basis instead of the x-basis. 
This proves the robustness of the native-yz-BB84 scheme. Combining this result with the result of 
the previous subsection immediately yields that the native-six-state scheme is robust as well, under 
the same assumptions. 

Theorem 3. Assuming a single-photon-limited adversary, the native-six-state scheme is completely 
robust. 

VI. TIME-BIN ENCODED STATES "UNIFIED" IMPLEMENTATION 
A. A "Unified" implementation for x and z bases 

The native implementation suffers from one main caveat: the need of a mechanical operation af- 
ter each qubit-transmission, as the basis must be chosen at random. Such an operation might take 
a lot of time and substantially decrease the maximal bit-rate allowed in the protocol. Other imple- 
mentations do not involve mechanical operation but use a beam-splitter to split the channel such 
that each output reaches a different setup (see for instance [50]). These kinds of implementations 
suffer from a higher loss-rate and a lower bit-rate. 

Let us describe a BB84 protocol that uses the z and x bases, in which Bob's interferometric 
setup is fixed and independent of the basis used [20, 21, 23, 24]. The idea is to use the setup 
Ub^ for measuring both bases in the following manner. In order to perform a measurement in the 
X basis. Bob opens his two detectors at time-bin ti, so that he measures the states and \di). 
In addition, for measuring the z basis. Bob measures |so))|f^o) that implies the bit-value '0' and 
|'S2); 1^2) that implies '1', (see Equations (7) and (8)). We denote this scheme as unified-x2;-BB84. 

Bob measures different time-bins than ti, namely times to and t2, and the set / becomes {\V), 
\do), \di), 1^2), |so), \si), \s2)}- In contrast to previous schemes, in this scheme the input modes t'_i 
and t2 might have a non-zero overlap with the modes measured by Bob. The reverse-space-attack 
implies that the input space is much larger than H^: a state sent by Eve is a superposition of 
modes t'_i to t'2. 



appropriate f3j 



>kj, following Equation (14), are given 




follows 
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B. (Non-)Robustness of unified-a::z-BB84 scheme for a single-photon-limited Eve 



Theorem 4. The unified-xz-BB84 scheme is completely nonrohust 

Proof. Let us repeat the above analysis for the unified-2;2-BB84 scheme. For the non-robustness 
proof, it suffices to restrict Eve (as well as any natural noise) to single photon pulses. The require- 
ments for the x-basis remain as given in Section IVB (Equations (lO)-(ll)). In addition, when Bob 
measures the z basis, he interprets his outcome according to Jo = {\do)-, No)}, Ji = {|'^2), |s2)}, 
^invalid = {} (due to the siugle-photon assumption), and Jioss = I — Jo — Ji- The setup is joined 
for both the z and the x bases, = /3^, whose value is given in Equation (9). 
Following Corollary 1, an attack Ue causes no errors if it satisfies 

ieo,il^o,i) + «eo,2|£^o,2) =0 - ecil-Eci) + £0,21-^0,2) = (15) 

corresponding to the case where Alice sends IO2), i.e. qq = 1, ai = 0, and Jerror = {|c^2), |s2)}, as 
well as 

ki,_i|^i,_i) + iei,o|^i,o) =0 -ei,_i|^i,_i) + ei,o|^i,o) = (16) 

corresponding to the case where Alice sends \lz), i-e. ao = 0, ai = 1, and Jerror = {\do), \so)}- This 
leads to the constraints eo,i = £9,2 = and ei^_i = ei^o = 0. Along with the requirements for the 
x-basis the only possible attacks are of the form 



\0)e\0.)a^p\<P)e\0)p+pi\cPi)\-1)p+P2\^Po)e\V)p ^^^^ 



\0)^\U)A^p\cp)E\l)p+pM\2)p+p4\i^l)E\V)p 

with + + |p2p = IpP + |P3p + |P4p = 1- Using this result, it is easy to devise an attack 
and show the protocol is completely non-robust. For instance, let 

|0)^|0,)a ^ \Ei)E\t'.i)p \0)e\Wa ^ \E2)E\t'2)p 

with orthogonal \Ei), {£2). This attack never causes an error, yet it increases the loss rate — Bob 
always gets a loss when using the x basis. This means that only bits encoded using the z basis are 
used for transferring information, and Eve can copy the information. It follows that the unified-xz- 
BB84 is completely nonrobust according to Definition 1. (This specific attack is somewhat related 
to the "fake state" attack of [34]). □ 

As mentioned, in the above attack all the qubits passed by Eve are in the z-basis (i.e., the loss- 
rate Bob sees for the x-basis is 1). We can compose an attack that doesn't have such a property 
(for instance, by letting p > 0), in which Eve does not force a loss in the x-basis, yet she does not 
learn the information for that basis. 

Finally, note that the above attack also applies to the unified six-state QKD scheme (see [22], 
for instance), making such realizations totally insecure. Going beyond the schemes presented here 
is left for future research. 



VII. CONCLUSION 

We study robustness of common QKD implementations by formulating the conditions that make 
a specific attack undetectable. Assuming a single-photon restricted adversary, we show that several 
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of the implementations in use are robust, while others are completely nonrobust (and thus insecure): 
the adversary is capable of learning all of the information about the final key without causing any 
errors at the legitimate user's end. The security flaw emerges from the way the devices are used, 
rather than their imperfections or insecurity of the underlying BB84 (or six-state) protocol. A 
complete security proof of the implementations we prove robust is still missing. Another question 
we leave open is whether the above robustness proof can be extended to the case of an unlimited 
adversary. 

We conclude that a security analysis of a QKD realization must be done according to the 
specific equipment in use. A security proof of a theoretical protocol is relevant only when the setup 
considered is proven to realize the theoretical protocol in an exact manner. Yet, any realization 
deviates from the theoretical one, and this should be considered by the security analysis. A general 
framework for all possible deviations is still missing (see discussion in a preliminary version of this 
paper [51]). This conclusion is crucial when considering off-the-shelf products, claiming to bring 
QKD with proven security. 
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APPENDIX 



Appendix A: Photonic Qubits and Fock Space 

The Fock-Space (FS) notation is the best way to describe a quantum system where the "players" 
are indistinguishable particles such as photons, using the occupancy number basis. The Fock-state 
\nY represents n particles in a given mode^, for instance, the number of photons in a certain 
electromagnetic pulse that have the same horizontal polarization |-H>). When needed, a subscript 
is added to the Fock-state in order to identify the specific mode, e.g. |n)^ or When more 

than one mode is considered, we write the joint state |ni,n2, • . . ,nkY to indicate rii photons in 
the ith mode. Using this notation, a description of a general single-photon qubit, |(;/)qubit) = 
ao|10)^ + ai|01)^, is based on using two modes (say two orthogonal polarizations) \0z) = \ W)^ and 
= \01Y. For instance, the states |0^.) = ^(|10)^ + |01f ) and = ^(|10)''-|01)'') commonly 
represent the two diagonal polarizations. 

Unfortunately, in real life Alice is unable to send perfect qubits; due to the specific device used, 
Alice often sends the vacuum state |00)^, and also sometimes sends more than a single photon 
(i.e., the states |20)^, |11)^ and |02)^). To be more precise, she actually sends the 2-mode multi- 
photon state X]^=o n2=o '^"i."2 1"-!' ''^2)^, containing also terms with more than two photons. Such 
terms usually have a negligible probability, and it is sufficient to analyze the 6-dimensional Hilbert 
space of zero, one and two photons. Alice might also (unintentionally) send more modes than 
she intended to. Thus, the most general state Alice could send is a A:-mode multi-photon state 
Yl'^i nfc=o '^ni,...,nk \ni, ■ ■ ■ , ukT . Sending more than two modes could also have a negative effect 
on the security of the protocol. 

Bob's ideal measurement of the Fock-state |n)^ is commonly assumed to be limited to a complete 
measurement that yields the number of photons occupying the mode, i.e. the number n. This can 
be extended to an ideal measurement of the A;-mode Fock-state |rii,n2, . . . ,nkY which yields the 
numbers ni to n^. In Appendix CI, we discuss more realistic measurements of a multi-photon 
state. 

In addition. Bob can measure other specific properties of the state using (for instance) beam 
splitters, phase shifters and mirrors [52]. For example, let us assume that Bob wants to distinguish 
the state ;^(|10)^ -|- |01)^) from :^(|10)^ ~ lOlD) where the different modes are different paths 
of the photon. Bob can perform a phase shift of 45° on the path represented by the first mode, 
and then place a symmetric beam splitter to obtain |10)^ or |01)^ respectively at the outputs of 
the beam splitter (up to a general phase). These two states can be distinguished by a simple 
measurement as described above. 

Appendix B: Interferometer 

An interferometer (Figure 1) is a device composed of two beam splitters (BS) with one short 
path, one long path, and a controlled phase shifter P,^, that is placed at the long arm of the 
interferometer. We focus on the following case which is used for measuring differential phase-shift 
QKD. 

In each transmission, a superposition of two (time) modes enter the interferometer and result in 
a superposition of 6 modes (Figure 1). The input modes are separated with a time difference of AT 
seconds, that is, the first mode arrives at time tg, and the second at t'^ = + ^T. The first pulse 
travels through the short arm in Tghort seconds, and through the long arm in Tiong = TLhort + 



^ We use the notation |-)'^ to indicate use of the occupancy number basis. 
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seconds, where the time difference between the two arms is exactly the time difference AT between 
the two incoming modes. Due to travehng through both arms, the first mode yields outgoing pulses 
both at time to = t'^ + Tghort and at ti = tQ + Tiong = + Tshort + AT = to + AT. 

When the second pulse enters the interferometer, it also travels through both arms. Intuitively, 
the part of the t'l mode that travels through the short arm interferes with the part of the I'q mode 
that travels through the long arm, and the output exits the interferometer at ti. The part of the 
second pulse that travels through the long arm exits the interferometer at time t2 = ti + AT. As 
a result, we can actually see six pulses at the two output arms, three in each direction, with the 
two middle pulses determined by the interference between the two pulses arriving into Bob's lab. 
We shall now write this formally. 

1. Beam splitter 

Each one of the beam splitters has two input arms (modes 1, 2) and two output arms (modes 
3, 4), see Figure 3. Each entering photon is transmitted (or reflected) with probability 0.5; The 
transmitted part keeps the same phase as the incoming photon, while the reflected part gets an 
extra phase of e*''/^ Specifically, \10)\2 ^ ^(IWsa+^I^'^Tsa) \^'^Ti,2 ^ 73(^110)3,4 + 101)3,4)- 
Thus, for a single photon state, the transformation is of the form 

a|10ri,2 + /3|01)b^ ^^110)1,4 + ^^101)^3,4- (Bl) 

It is important to note that when a single mode (carrying a single photon) enters a beam 
splitter from one arm, and nothing (namely, vacuum) enters the other arm (say, a = = 0), 
there are still two output modes. This means that the other (vacuum) entry must be considered 
as an additional mode — an ancilla carrying no photons. 




(2) 

FIG. 3. A symmetric beam-splitter with two input modes (1) and (2) and two output modes (3) and (4). 



2. Phase shifter 

The controlled phase shifter performs a phase shift on the input state by a given phase cj), 
i.e. P^{\nY) = e^''^''^\nY , see [53]. The users can change the phase according to the specific basis 
in use. Clearly, the transformation changes only the mode which travels through the phase shifter 
(on the long arm), while the other modes do not change. 
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3. Evolution of a single pulse through the interferometer 



When a single mode, carrying one or more photons, enters the interferometer, three ancillas in 
a vacuum state are added by the interferometric setup (see Figure 4). As mentioned above, the 
mode entering the interferometer at time tg, yields two modes at time tQ, and two modes at time 
ti. These four output modes are: times Iq, ti at the 's' (straight) arm of the interferometer, and 
times to, ti at the 'd' (down) arm of the interferometer. A basis state of this Fock-space can be 
written as |nso,ns-^,nd(,,nrfJ^. 



(1) 



lA(i') 



(3) 

A 



O 



(2) 



(2') 



V 



-o 



(3') 



(3) 

[A 



(4) 

lA 



■o 



(5) 



(7) 



(5) 



(6) 

A 

A(4) 



Pulse (1) is about to enter the interferometer. A vacuum ancilla 
(!') is added at the input of the first beam splitter, BS\. 



Pulses (1) and (1') interfere in the first beam splitter (BSi) 
and yield a superposition of (2) and (3) in the short and long 

arms of the interferometer, respectively, |1)^|0)^, (|1)2|0)3 + 
i\0)^\lY^)/V2. Pulse (2) is about to enter the second beam split- 
ter {BS2) so a vacuum ancilla is added (2'). 



Pulses (4) 



1)1 



and 



(5) are created by pulses (2) and (2'), 

y2,W2'i-/2 mi\0)l + |0)^4|l)5)/2. Pulse (3) is about to 
enter the second beam-splitter so a vacuum ancilla is added (3'). 



Pulses (6) and (7) are created by the interference of (3) and (3') 

■ \imi^mi\or,^\o)%\ir,)/2. 



FIG. 4. Evolution in time of a single photon pulse through the interferometer with = 0, |1000)^ y 3/ 3/ — )• 
i (|1000)^ - 10100)^ + i|0010)^ +?|0001)P)5 7 4_g. The output state is denoted by modes |n^o, , n^^, n^Jf' 
that correspond to modes (5), (7), (4) and (6) respectively. 

Assume that a single photon enters the interferometer at time tg. Using the above notations, 
the interferometer's transformation is given by 

|000)^ ^ (llOOOf - e^'^lOlOO)^ + i|0010)^ + ie^'^lOOOlf ) /2 . (B2) 

Note the three vacuum ancillas that were added. Also note that a pulse which is sent at a different 
time (say, t'l, or t'_i, etc.) results in the same output state, with appropriate delays. That is, a 
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pulse entering the interferometer at time t'- results in the state (|1000)'' — e"^|0100)^ + i|0010)^ + 
ie*'^|0001)'') /2 in a Fock-space with basis states In^. , n^,.^-^, n^^-, n^-^j)^. 

4. Evolution of two pulses through the interferometer 

We are now ready to consider the setup of Figure 1 and two input modes, t'^ and t[, that enter the 
interferometer one after the other, with exactly the same time difference AT as the interferometer's 
arms. As a result of this precise timing, the two modes are transformed into a superposition of 
only six modes (instead of eight modes) at the outputs (see Figure 5). Four (vacuum state) ancillas 
are added during the process and the resulting six modes are to, ti, t2 at the 's' arm and the 'd' 
arm of the interferometer. A basis state of this Fock-space is therefore In^g, n<j^, risj, ?^(^o> '^rfi! ^^^2)^- 
If exactly one photon enters the interferometer, we can use Equation (B2) to obtain 

|0)^, lOOOOf ^ (llOOOOOf - e^'^lOlOOOOf + i|000100)^ + ie*'^|000010)^) /2 
|0)^, lOOOOf ^ (1010000)^ - e^*|001000r + ilOOOOlO^ + ie*<^|000001)^) /2 (B3) 

Recall that |0^) = |10)j/j/ and jl^) = |01)^/j/ . It follows that an arbitrary qubit is transformed as 
(a|10)^ + /3|0ir)|0000r 

r^^llOOOOOf + ^^^lOlOOOOf - ^1001000)^ + ^loooioof + <"g'^ + /^) |ooooio^F ^ !^|ooooOlf 

\ ^ ^ £j ^ £^ £^ 



Appendix C: Robustness of a;t/-BB84 against a more realistic Eve 

In this section we prove that the xy-BB84 scheme is robust against an adversary that can send 
pulses with up to 2 photons. Although we believe that the protocol is robust against an unlimited 
Eve our proof is not scalable to the general case. 

1. Measurement of More Than One Photon 

Recall that a general (ideal) measurement of the /c-mode Fock-state |ni, 712, . . . , n/^)^ yields the 
numbers n\ to n^. However, we assume that Bob uses imperfect devices which might restrict him to 
perform only limited measurement [54-56]. A realistic Bob performs an incomplete measurement, 
in which some modes might not be measured, and some modes he cannot detect the exact number of 
photons. For instance. Bob might measure a mode i using a threshold detector and only determine 
whether the mode is empty or non-empty (i.e., whether or not the number of received photons 
equals 0), described as the projection Pj = X^^=i |?i-i,?^2> • • • ,nkY^{ni,n2, ■ ■ ■ ,nk\, where rij = 
for j ^ i. A better measurement could (theoretically) allow him to distinguish the exact number 
of photons populating the mode; this is done using a device named a counter, also known as a 
photon-number-resolving detector [57-59]. 

In the following, we consider the case in which Bob's detectors cannot distinguish between 
detecting a single photon or more. We stress that our robustness proof holds even for the limited 
(realistic) Bob described above, and not only for an ideal Bob. 
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A general single-photon qubit, a|10)^ + /3|01)^, enters the inter- 
ferometer (modes (2) and (1)). Bob adds a vacuum ancilla (1') 
that interferes with mode (1) at the first beam splitter (BSi). 



Pulses (1) and (!') interfere and yield pulses (3) and (4) in 

the short arm and the long arm respectively, q|1)^|0)^/ — ^ 
^(|1>3|0>4 + iWsl^Ti)- Pulse (3) is about to enter BS2, so 
a vacuum ancilla (3') is added. Pulse (2) is about to enter BSi 
so a vacuum ancilla (2') is added. 



Pulses (7) and (8) are created by the interference of (3) and (3') 
^|0)F,|i)F3 f |l)-,|0)-8 + 1\0m%. Pulses (5) and (6) are 

created by the interference of (2) and (2') in BSi P\l)l\0)l, ^ 



Pulses (9) and (10) are created by the interference of (4) and 
(5) in the second beam-splitter 7^|1)'4|0)^ + ^10)^11)^5 



^,.^410)^5 ^ JLin\Fii\F 

1 1)910)^10 + ^10)911)% ■ Pulse (6) is about to enter 5^2 
so a vacuum ancilla is added (6'). 



Pulses (11) and (12) are created by the interference of (6) and 



(6') in ^11)^610)^6 



FIG. 5. Evolution in time of two modes through the interferometer with = 0, 
(a|l)'i|0)'2 + ^|0)'i|l)'2)|0000)'i,2'.3',6' ^ (f|iooooo)p + ^lOlOOOO)^ - f|001000f + f|000100)^ + 
*^^±ffl 1000010)^ + f 1 000001)'') g ^0^2 7 9 11- The output state is denoted by modes 



2. A Robustness Proof for the xy-BB8A- Scheme 



We begin by extending the interferometer transformation for pulses of two photons. 



Proposition 5. // the time modes and t'l contain exactly 2 photons, the pulse evolves in the 
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interferometer in the following manner: 

Uit\2)\, = ^[|200000f + \/2f 1 100100)^- |000200)^ 



4 L 



1 r 



e^'^(-\/2|110000)^+ V2i|100010)^-\/2i|010100)^- \/2|000110f) (CI) 
e^-2'^(|020000f - \/2i|010010)^ - |000020)^) 



C//T|ll>f'i' =7 |110000)^ + i|100010)^ + i|010100)^- lOOOllO)^ 



+ e^'^(-\/2 1 020000)^ - \/2|000020)^ - |101000)^ 

+ z| 100001)^ - i|001100)^ - loooioi)^) 
+ e^-2'^(|011000)^ - i|010001)^ - i|001010)^ - |000011)^) 

with basis |nsQ,ns^,ns2,'rarfo'''^rfi'''^d2)^- Note that f//r|2)^, is immediate from C//t|2)^, 



(C2) 







Proof. Consider the evolution of a pulse with 2 photons through a beam-splitter [53] 

i2ori,2 ^ 2^i2or + V2i\nr - 102^3,4 
io2ri,2 ^ ^(-i2or + V2i\nr + 102^3,4 
iiifi,2^-j=(i2or + io2n3,4 

Composing the two beam-splitters and phase shift, with the appropriate delays immediately leads 
to the above result. □ 

Theorem 6. The xy-BB84 scheme is robust against an attack limited to pulses with at most two 
photons. 

Proof. We consider three different cases, according to the number of photons occupying the modes 
t'o and t'l- 

1. There are photons in modes t'r. and t'^ : For instance, Eve sends the state 111)'^/,/ or 120)'^', . 
These kinds of states always cause a loss since they never reach Bob's detectors at time ti. 
Eve can send a superposition of any such states, and Bob will not be able to distinguish 
them from the case that Eve sends \ V). Such states are in Jioss and do not affect the error 
rate. 

2. There is a single photon in modes t'n. and t\: For instance, Eve sends . This case is 
not the same as sending a single photon, but since only one photon can be measured at time 
ti, we can consider this case as giving Eve the second photon, instead of sending it to Bob. 
Thus, we can use the robust proof for a single photon of Section IV B to deal with this case 
as well. 

3. Both photons are in modes and t'^: Assume Eve sends Bob a 2-photon state of the 
form \'4>a,i3,-y) = a|20)'j/^/ -|- -|- 7|02)'J^,^, . We show that if Eve causes no errors. 
Corollary 1 restricts the state to be a multiple-photon version of the state expected by 
Bob. E.g. if Bob expects \0x), the only 2-photon state that causes no errors is lOx)*-^^ = 
i(|20>^,,+^/2|ll)- +102)^,,). 
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We demonstrate the above only for the case of \0x)- The other cases can be achieved in 
a similar way. Recall that in this case an error happens if Bob's di detector clicks. This 
means that in order to have no errors, we must require that ^{abcdef\UiT\ipa,i3,'y) = for any 
element with b > 0. 

A zero overlap with |020000)^ implies a - ^2/3 + 7 = 0. The element |010010f G Ji„vaiid 
since it causes a click in both detectors, which implies an inconclusive result (that must be 
interpreted as an error, since Alice's states are assumed to contain only a single photon). 
Since ^(010010|?7it|20)'^,^j, = - ^(010010|?7it|02)^,^^, and ^(OIOOIOI^JitIII)^^^, = a zero- 
overlap requires = 7. The only solution for the above constraints is (3 = y/2a = V^J, and 
one can easily verify that llV'a^i ^=^^=1) causes no error if Bob expects \0x), i-C- Bob's 
detector at si will never click. 

Note that Eve cannot perform an attack that always sends Bob a perfect 2-photon copy of 
the state sent by Alice, due to no-cloning. 

Last, we consider superpositions of states with different numbers of photons (e.g., (|01)'^,^, -|- 

|20)^,^, )/\/2, etc.). We note that the overlap of states with different numbers of photons is always 

zero. Since (mi, m2, . . . , mk\m[, m^-, ■ ■ ■ , fn'j^y = ni={i k} ^nHm'-i then if Y^- m 7^ m', the overlap 
must be zero. It follows that in order to have zero overlap with a state G Jerror U Jinvaiid we 
only need to consider pulses with the same number of photons as |^). □ 
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